[KERNEL32]

Clean-up IntReadConsoleOutputCode a little bit. [CONSRV] Fix a buffer overflow in SrvReadConsoleOutputString, which was translated sometimes into heap corruption and assert, triggered when freeing a remote captured buffer in csrsrv, when executing kernel32_winetest console, just during a call to ReadConsoleOutputCharacterA. Nevertheless I still keep the culprit code (commented-out now) because it might be useful in the future. svn path=/branches/ros-csrss/; revision=58229
2024-07-31 00:28:56 +00:00 · 2013-01-26 19:07:59 +00:00 · 2013-01-26 19:07:59 +00:00 · 7846f054ff
parent 6d28ec8640
commit 7846f054ff
2 changed files with 28 additions and 35 deletions
--- a/dll/win32/kernel32/client/console/readwrite.c
+++ b/dll/win32/kernel32/client/console/readwrite.c
@ -351,33 +351,26 @@ IntReadConsoleOutputCode(HANDLE hConsoleOutput,
    ReadOutputCodeRequest->CodeType = CodeType;
    ReadOutputCodeRequest->ReadCoord = dwReadCoord;

-    // while (nLength > 0)
+    ReadOutputCodeRequest->NumCodesToRead = nLength;
+
+    Status = CsrClientCallServer((PCSR_API_MESSAGE)&ApiMessage,
+                                 CaptureBuffer,
+                                 CSR_CREATE_API_NUMBER(CONSRV_SERVERDLL_INDEX, ConsolepReadConsoleOutputString),
+                                 sizeof(CONSOLE_READOUTPUTCODE));
+    if (!NT_SUCCESS(Status) || !NT_SUCCESS(Status = ApiMessage.Status))
    {
-        ReadOutputCodeRequest->NumCodesToRead = nLength;
-        // SizeBytes = ReadOutputCodeRequest->NumCodesToRead * CodeSize;
-
-        Status = CsrClientCallServer((PCSR_API_MESSAGE)&ApiMessage,
-                                     CaptureBuffer,
-                                     CSR_CREATE_API_NUMBER(CONSRV_SERVERDLL_INDEX, ConsolepReadConsoleOutputString),
-                                     sizeof(CONSOLE_READOUTPUTCODE));
-        if (!NT_SUCCESS(Status) || !NT_SUCCESS(Status = ApiMessage.Status))
-        {
-            BaseSetLastNTError(Status);
-            CsrFreeCaptureBuffer(CaptureBuffer);
-            return FALSE;
-        }
-
-        BytesRead = ReadOutputCodeRequest->CodesRead * CodeSize;
-        memcpy(pCode, ReadOutputCodeRequest->pCode.pCode, BytesRead);
-        // pCode = (PVOID)((ULONG_PTR)pCode + /*(ULONG_PTR)*/BytesRead);
-        // nLength -= ReadOutputCodeRequest->CodesRead;
-        // CodesRead += ReadOutputCodeRequest->CodesRead;
-
-        ReadOutputCodeRequest->ReadCoord = ReadOutputCodeRequest->EndCoord;
+        BaseSetLastNTError(Status);
+        CsrFreeCaptureBuffer(CaptureBuffer);
+        return FALSE;
    }

+    BytesRead = ReadOutputCodeRequest->CodesRead * CodeSize;
+    memcpy(pCode, ReadOutputCodeRequest->pCode.pCode, BytesRead);
+
+    ReadOutputCodeRequest->ReadCoord = ReadOutputCodeRequest->EndCoord;
+
    if (lpNumberOfCodesRead != NULL)
-        *lpNumberOfCodesRead = /*CodesRead;*/ ReadOutputCodeRequest->CodesRead;
+        *lpNumberOfCodesRead = ReadOutputCodeRequest->CodesRead;

    CsrFreeCaptureBuffer(CaptureBuffer);

--- a/win32ss/user/consrv/conoutput.c
+++ b/win32ss/user/consrv/conoutput.c
@ -862,20 +862,20 @@ CSR_API(SrvReadConsoleOutputString)
        }
    }

-    switch (CodeType)
-    {
-        case CODE_UNICODE:
-            *(PWCHAR)ReadBuffer = 0;
-            break;
+    // switch (CodeType)
+    // {
+        // case CODE_UNICODE:
+            // *(PWCHAR)ReadBuffer = 0;
+            // break;

-        case CODE_ASCII:
-            *(PCHAR)ReadBuffer = 0;
-            break;
+        // case CODE_ASCII:
+            // *(PCHAR)ReadBuffer = 0;
+            // break;

-        case CODE_ATTRIBUTE:
-            *(PWORD)ReadBuffer = 0;
-            break;
-    }
+        // case CODE_ATTRIBUTE:
+            // *(PWORD)ReadBuffer = 0;
+            // break;
+    // }

    ReadOutputCodeRequest->EndCoord.X = Xpos;
    ReadOutputCodeRequest->EndCoord.Y = (Ypos - Buff->VirtualY + Buff->MaxY) % Buff->MaxY;